What does malicious iFrames virus do?

My understanding of iFrames virus from Googling is that once a user browses to an infected website, the script will trigger the download of malwares automatically without the user's consent.

I'm using NIS 2011 and Google Chrome. I noticed that while both of them could block a number of known infected websites, there are some malicious websites that both didn't block.

Is there a chance such malwares could also be auto-executed (other than being downloaded) and cause an infection on the host computer like modifying system settings and files? Will I be protected even if NIS doesn't notify me of any attack, or is it overkilled to surf internet inside a sandbox?

Drive-by download and drive-by install are almost the same process since malware has to run in order create damage. So it has first to get downloaded ( whole or part of the malicious code/sequence/software ) and then it runs...often automatically or even with the help of the user...example...trying to close a fake pop up window etc.

Hippocrates said:

Will I be protected even if NIS doesn't notify me of any attack, or is it overkilled to surf internet inside a sandbox?

Click to expand...

Generally you'll be protected if NIS detects the threat. If not...and if your only protection layer is NIS...then you are not protected. But before saying so you have to consider that a security software could alert you using some kind of web shield while you visit a malicious site or by scanning all the downloaded files. I mean that even if a security software does not detect or knows a malicious site, should know the malicious downloaded file. So if you are sure that a certain site is malicious and you get no alert then and only if you are 100% sure that the site is malicious and you notice various malicious activity on your pc, you can say that NIS did not protect you.

Surfing the web with a sandboxed browser is one of the best security habits you may have.

In theory Chrome should provide better level of protection for attacks coming via web. But still Chrome is not immune and has security holes. So there is the always present issue: If the malicious web site knows how to trick your browser and your AV does not know the threat then you're fried.

Drive-by download and drive-by install are almost the same process since malware has to run in order create damage. So it has first to get downloaded ( whole or part of the malicious code/sequence/software ) and then it runs...often automatically or even with the help of the user...example...trying to close a fake pop up window etc.

Generally you'll be protected if NIS detects the threat. If not...and if your only protection layer is NIS...then you are not protected. But before saying so you have to consider that a security software could alert you using some kind of web shield while you visit a malicious site or by scanning all the downloaded files. I mean that even if a security software does not detect or knows a malicious site, should know the malicious downloaded file. So if you are sure that a certain site is malicious and you get no alert then and only if you are 100% sure that the site is malicious and you notice various malicious activity on your pc, you can say that NIS did not protect you.

Surfing the web with a sandboxed browser is one of the best security habits you may have.

Click to expand...

Thanks for your detailed explanation. I always thought that my computing habit is kind of safe as I only execute/install well-known programs from authentic sources, but after reading a few articles on iFrame virus, I'm not so sure anymore. Hackers could inject malicious code into seemingly normal website and lure the unsuspecting users to download certain viruses.

What I'm wondering is... let's say the virus is being downloaded automatically by the scripts and not being caught by the antivirus, is there such an avenue or function in the web browser (i.e. Chrome) for it to be executed automatically without informing me? or would it just sit in my cache and won't do any harm if I'm not dumb enough to execute it? Normally a downloaded program needs to be launched manually by the user, or else it won't execute itself. Are those iFrame viruses an exception that they can execute themselves or fool the browser to execute them without acknowledging me?

It's true that my only layer of security is NIS. There were occasions that NIS did not alert me when I visited some malicious links (posted in a security forum) but I had not for once found my computer behaving weird. That's why I was wondering if Google Chrome refuses the iFrame viruses a privilege to auto-execute themselves, hence meaning that I'm actually protected despite there's no protection from the antivirus at that moment.

Otherwise, I really may have to install a sandbox though it sounds a bit paranoid to me.

Hi, i don't use chrome so can't comment on it. However i do use FF with NoScript which has excellent iframe blocking, amongst lots of other things

Also my AV Avira also is very good at blocking these malicious attacks too.

I know the above aren't what you're using, but i'm posting as a FYI and for others too

Click to expand...

Thanks for your suggestions. I used Firefox and Avira in the past but not now anymore. As for NoScript, I installed it once just to test but somehow a few of my regular websites didn't appear normal after that, so I believe it was also blocking some "desirable" scripts. Hence, I'm not too sure if I should install NoScript when it has been ported as an extension for Chrome.

What I'm wondering is... let's say the virus is being downloaded automatically by the scripts and not being caught by the antivirus, is there such an avenue or function in the web browser (i.e. Chrome) for it to be executed automatically without informing me? or would it just sit in my cache and won't do any harm if I'm not dumb enough to execute it? Normally a downloaded program needs to be launched manually by the user, or else it won't execute itself. Are those iFrame viruses an exception that they can execute themselves or fool the browser to execute them without acknowledging me?

Click to expand...

Yes Chrome's sandboxing functions will protect you. The problem is ( like I mentioned above ) that Chrome itself and your operating OS are not bulletproof so an author of malicious code could take advantage of a hole and manage to pass Chrome's sandbox and then defeat the OS protections ( not an easy thing but could happen ). I've also mentioned above that in theory Chrome provides better protection.

I don't want to alarm you...in most cases NIS and Chrome will protect you perfectly.

Intrusion Prevention scans all the network traffic that enters and exits your computer and compares this information against a set of attack signatures. Attack signatures contain the information that identifies an attacker's attempt to exploit a known operating system or program vulnerability. Intrusion Prevention protects your computer against most common Internet attacks.

For more information about the attacks that Intrusion Prevention blocks, go to the following URL:

If the information matches an attack signature, Intrusion Prevention automatically discards the packet and breaks the connection with the computer that sent the data. This action protects your computer from being affected in any way.

Attached Files:

There are some people at this forum who, knowing what is possible use multi layers of virtualization.
Peter2150 to name one.
For example, they will use Sandboxie running on Returnil.
Or Sandboxie running on x, y, or z.

I run Chrome (and FF) in Sandboxie. I do not feel much of an overhead and don't care about being thought of as overcautious . It's my PC!

I also have Avira (free).

Click to expand...

Guess I'm outdated, I had been reading forum and I kept seeing people mentioning there's no NoScript for Chrome.

Well, I'll think about installing Sandboxie (or not to). Naturally I would like to keep the security layers to be minimum. If NIS and Chrome could do the job sufficiently, I wouldn't want to buy Sandboxie just to prevent a possibly super-rare event where a virus could penetrate Chrome's sandbox, Windows protection, and NIS.

Guess I'm outdated, I had been reading forum and I kept seeing people mentioning there's no NoScript for Chrome.

Well, I'll think about installing Sandboxie (or not to). Naturally I would like to keep the security layers to be minimum. If NIS and Chrome could do the job sufficiently, I wouldn't want to buy Sandboxie just to prevent a possibly super-rare event where a virus could penetrate Chrome's sandbox, Windows protection, and NIS.

Example of Norton IPS blocking access to a site that attempts drive-by download of malicious file:

Click to expand...

Hi 3GUSER,

I would love to have IPS and SafeWeb, but IE and Firefox are not an option for me. I used Firefox for years until I feel that I couldn't bear its sluggishness on my laptop especially when dealing with multiple tabs.

Anyway, I tried your link where Norton IPS protects. just for the sake of experimenting, knowing that I've a good copy of system backup.

Google identified it as malicious website and blocked it... even after pressing "proceed" on two occasion, somehow, the "antivirus.exe" virus file couldn't be downloaded at all, needless to say being executed. I've no idea what's going behind the scene as I'm not proficient in IT but I guess to a casual user, that means there were some forms of protection with Chrome.

I'm only worried about auto-download and auto-execution of script virus. If user's consent is required for execution, I guess I'll be pretty safe.

If I'm ever going to use Sandboxie, I'll definitely buy a license. The extra feature that you can force all browsers/any application to run in the sandbox is too good to be missed. That's another layer of protection against user's carelessness.

If I'm ever going to use Sandboxie, I'll definitely buy a license. The extra feature that you can force all browsers/any application to run in the sandbox is too good to be missed. That's another layer of protection against user's carelessness.

Click to expand...

Well, I have a licensed copy of Sandboxie, but the way I see it is if a user is too lazy/careless to right-click a browser icon and select "run sandboxed", they have problems already There's one thing and one thing only that separates free from paid and makes a difference, the ability to have more than 1 sandbox open at a time. I HATE that restriction, it's a sure-fire way to get someone to eventually pay.

On topic though, I don't think I've seen an IFRAME for a while, let alone an attack using it.

Firefox w/NoScript (forbid IFRAME enabled) Sandboxed and you are done.
Try FF and NS again and do your self a favor and start using SBIE. It does
not matter whether is the free or paid version, both would protect you the
same and will help you have a more enjoyable browsing since you will not
get paranoid anymore.

If you feel uncomfortable noticing that some web-sites do not work properly due to Java Script being blocked by NoScript running on FF you may as well grant permissions to those particular web-sites so they can display content that you are not able to see due to NS.

Now, if the web-site that you have already granted permission through NoScript had already been compromised, then you are in trouble because harmful iFrames can attack you through Java Runtime + Adobe Flash Player + Adobe Reader vulnerabilities.

I've seen this myself while experimenting with the so called Exploit Kits [ Eleonore, Phoenix, CrimePack, Siberia, etc. ]

Thus, if you think you're going to grant permissions to web-sites through NS then you also need Sandboxie. If the web-site is “behaving badly”, then by running FF within a Sandbox can save you headaches. The iFrames could still attack your browser and even crash it but it will be confined to the Sandbox.

So, recapping: run FF +NS and do it with FF running sandboxed in case that the web-site you granted permissions has already been compromised.

Carlos

P.S.: I run a paid version of SB but I installed the unpaid version on my sister's laptop and while she's running a sandboxed FF she has been able to open the IE also sandboxed. I might be mistaken but if that is the case then more than 1 application can be run sanboxed simultaneously with the non-paid version.

... ... if that is the case then more than 1 application can be run sanboxed simultaneously with the non-paid version.

Click to expand...

I think that is quite correct. One can run several programmes sandboxed at the same time in the free version. The main difference is that the paid version allows you to have several different sandboxes at the same time. The user could then empty one or more but not the other(s).